Bug in Surveillance Camera

Monday, March 3, 2014 @ 12:03 PM gHale

D-Link issued firmware updates for surveillance camera models from the DCS series to address a persistent SSL certificate vulnerability.

The impacted devices are DCS-820L, DCS-930L, DCS-931L, DCS-932L, DCS-933L, DCS-2330L, DCS-2332L, DCS-2136L, DCS-5010L, DCS-and DCS-5020L. These models can end up storing three SSL certificates used to communicate with the mydlink service and the mobile application.

D-Link said this is an inappropriate implementation, so the company has decided to roll out firmware updates to address the flaw.

The security bug issue came to D-Link in January from Christopher Schmitt, an information security engineer at Mandiant.

The advisory published earlier said the certificates in question are to protect communications between the application and the camera. They perform this task as intended. However, the fact they are persistent makes the devices vulnerable.

“If a malicious user had managed to get privileged network access, they could potential obtain the cert., intercept, and decrypt the camera control information. After understanding how the camera control functions, further research may result in access to the media-stream functions,” reads the advisory.

D-Link said it is not aware of any attack exploiting this issue. However, the company encourages users to update their device’s firmware since “all feature and services could end up affected beyond just mydlink-cloud features.”